CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 20
1. When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?
A) Compliance with international security standards.
B) Use of a two-factor authentication system.
C) Existence of an alternate hot site in case of business disruption.
D) Compliance with the organization's information security requirements.
2. To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:
A) review the functionalities and implementation requirements of the solution.
B) review comparison reports of tool implementation in peer companies.
C) provide examples of situations where such a tool would be useful.
D) substantiate the investment in meeting organizational needs.
3. The MOST useful way to describe the objectives in the information security strategy is through:
A) attributes and characteristics of the 'desired state.'
B) overall control objectives of the security program.
C) mapping the IT systems to key business processes.
D) calculation of annual loss expectations.
4. In order to highlight to management, the importance of network security, the security manager should FIRST:
A) develop a security architecture.
B) install a network intrusion detection system (NIDS) and prepare a list of attacks.
C) develop a network security policy.
D) conduct a risk assessment.
5. When developing an information security program, what is the MOST useful source of information for determining available resources?
A) Proficiency test
B) Job descriptions
C) Organization chart
D) Skills inventory
A) Compliance with international security standards.
B) Use of a two-factor authentication system.
C) Existence of an alternate hot site in case of business disruption.
D) Compliance with the organization's information security requirements.
2. To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:
A) review the functionalities and implementation requirements of the solution.
B) review comparison reports of tool implementation in peer companies.
C) provide examples of situations where such a tool would be useful.
D) substantiate the investment in meeting organizational needs.
3. The MOST useful way to describe the objectives in the information security strategy is through:
A) attributes and characteristics of the 'desired state.'
B) overall control objectives of the security program.
C) mapping the IT systems to key business processes.
D) calculation of annual loss expectations.
4. In order to highlight to management, the importance of network security, the security manager should FIRST:
A) develop a security architecture.
B) install a network intrusion detection system (NIDS) and prepare a list of attacks.
C) develop a network security policy.
D) conduct a risk assessment.
5. When developing an information security program, what is the MOST useful source of information for determining available resources?
A) Proficiency test
B) Job descriptions
C) Organization chart
D) Skills inventory
1. Right Answer: D
Explanation: Prom a security standpoint, compliance with the organization's information security requirements is one of the most important topics that should be included in the contract with third-party service provider. The scope of implemented controls in any ISO 27001-compliant organization depends on the security requirements established by each organization. Requiring compliance only with this security standard does not guarantee that a service provider complies with the organization's security requirements. The requirement to use a specific kind of control methodology is not usually stated in the contract with third- party service providers.
2. Right Answer: D
Explanation: Any investment must be reviewed to determine whether it is cost effective and supports the organizational strategy. It is important to review the features and functionalities provided by such a tool, and to provide examples of situations where the tool would be useful, but that comes after substantiating the investment and return on investment to the organization.
3. Right Answer: A
Explanation: Security strategy will typically cover a wide variety of issues, processes, technologies and outcomes that can best be described by a set of characteristics and attributes that are desired. Control objectives are developed after strategy and policy development. Mapping IT systems to key business processes does not address strategy issues. Calculation of annual loss expectations would not describe the objectives in the information security strategy.
4. Right Answer: D
Explanation: A risk assessment would be most helpful to management in understanding at a very high level the threats, probabilities and existing controls. Developing a security architecture, installing a network intrusion detection system (NIDS) and preparing a list of attacks on the network and developing a network security policy would not be as effective in highlighting the importance to management and would follow only after performing a risk assessment.
5. Right Answer: D
Explanation: A skills inventory would help identify- the available resources, any gaps and the training requirements for developing resources. Proficiency testing is useful but only with regard to specific technical skills. Job descriptions would not be as useful since they may be out of date or not sufficiently detailed. An organization chart would not provide the details necessary to determine the resources required for this activity.
Explanation: Prom a security standpoint, compliance with the organization's information security requirements is one of the most important topics that should be included in the contract with third-party service provider. The scope of implemented controls in any ISO 27001-compliant organization depends on the security requirements established by each organization. Requiring compliance only with this security standard does not guarantee that a service provider complies with the organization's security requirements. The requirement to use a specific kind of control methodology is not usually stated in the contract with third- party service providers.
2. Right Answer: D
Explanation: Any investment must be reviewed to determine whether it is cost effective and supports the organizational strategy. It is important to review the features and functionalities provided by such a tool, and to provide examples of situations where the tool would be useful, but that comes after substantiating the investment and return on investment to the organization.
3. Right Answer: A
Explanation: Security strategy will typically cover a wide variety of issues, processes, technologies and outcomes that can best be described by a set of characteristics and attributes that are desired. Control objectives are developed after strategy and policy development. Mapping IT systems to key business processes does not address strategy issues. Calculation of annual loss expectations would not describe the objectives in the information security strategy.
4. Right Answer: D
Explanation: A risk assessment would be most helpful to management in understanding at a very high level the threats, probabilities and existing controls. Developing a security architecture, installing a network intrusion detection system (NIDS) and preparing a list of attacks on the network and developing a network security policy would not be as effective in highlighting the importance to management and would follow only after performing a risk assessment.
5. Right Answer: D
Explanation: A skills inventory would help identify- the available resources, any gaps and the training requirements for developing resources. Proficiency testing is useful but only with regard to specific technical skills. Job descriptions would not be as useful since they may be out of date or not sufficiently detailed. An organization chart would not provide the details necessary to determine the resources required for this activity.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment